The audit/assurance programs reflect the IT Assurance Framework (ITAF) sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes and 3800—IT Audit and Assurance Management and were developed in alignment with the Control Objectives for Information and related Technology (COBIT)—specifically COBIT 4.1.

Objective—The objectives of the applications review are to:

Provide management with an independent assessment of efficiency and effectiveness of the design and operation of internal controls and operating procedures

Provide management with the identification of application-related issues that require attention

{Additional objectives customized to the specific business as determined by the audit and assurance professional}

Scope—The review will focus upon the {list specific applications}. The scope of the review will include the following:

Identification and evaluation of the design of controls

Evaluation of control effectiveness

Assessment of compliance with regulatory requirements

Identification of issues requiring management attention

{Additional scope as determined by project team}

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and necessary subject matter expertise to adequately review the work performed.